Home
Contribute Contact Us Browse all meetings
Home Contribute Contact Us Browse all meetings
Kubernetes / Community / 2 Jun 2016
Kubernetes / Community / 2 Jun 2016
Previous Meeting Next Meeting
Add meeting Rate page Subscribe
youtube image
From YouTube: Kubernetes Community Meeting 20160602

Description

We have PUBLIC and RECORDED weekly video meetings every Thursday at 10am US Pacific Time.

https://docs.google.com/document/d/1VQDIAB0OqiSjIHI8AWMvSdceWhnz56jNpZrLs6o7NJY

Demo: kube-lego; 1.4 planning process; 1.3 release update

A

As I start, every meeting I will say we. This is a public and recorded meaning of kubernetes community and today is I believe June 2nd.

A

Although someone will have to confirm that's true and we will be going through our agenda today, getting a demo of kublai go from Christian Simon, and then we will do a 1.4 planning process update from David around check, and then we will go, do an update on the nice 1.3 and then, if we have anyone from the special interest groups that we want to don't want to give out reports we'll do a couple of those and then we will have a suspect short discussion about whether or not the once a month aysia friendly timing.

A

This is the second time we've done. This is useful to the broader community. So Christian, can you introduce yourself.

B

Yeah.

B

And today, I want to show you a quick demo of a thing called cube Lego. So the name consists of cuban SSR viously and of Lego, which stands for. Let's encrypt go I, try to share my screen. Yeah should work, I, think, and so the whole aim for a cube.

B

Lego is to read out of the Cuban artists ingress elements, what kind of certificates you need and then try to get them over the ACM, a protocol from let's encrypt, which so a CME I guess most of you have heard about it that it's like in protocol.

B

First, we couldn't see a you, can get the sort of certificates of yet different challenges and yeah so like there are four different challenges that you can use to verify that you are the domain validated owner for domain name and yeah, so I'm only using the HTTP yet just because of simplicity, one thing about let's encrypt, so they they have like in a user account. So you have a private key with this user account you can revoke certificates later and they limit the maximum certificate lifetime to ninety days.

B

So now I'm not too sure if it's gonna work, but my idea was to just prove that it's not prepared too much before so that certificates are generated really on the fly within the demo. I asked some in the audience if they could point like their private sub domain via a cname record to this coop lego, dot chat stack net.

B

So if you could do that, it would be perfect because that will show yet just that. It's really really life happening, the issuance of the certificates, I've posted it to the children chat and soon to everyone, the the cname destination. And maybe, if you could post your remain back, then I can try it in the minute.

B

During the last demo,.

A

Head and create a cname so keep taught yeah.

B

Sure so one important resource, and rather a new resource, is the the ingress resource and kublai go watches the ingress resource yeah just to know which certificates should be there. The ingress resources meant yeah to contain the rules, how external clients can access services in the cluster and yeah.

B

So it's from my point of view mainly focused on HTTP right now, so you can point certain virtual hosts two years in kubernetes service, there's one important difference compared to the to the service object, which actually implementation is contained in the true proxy for service, for example, and with integration, load, balancers and blah blah. But ingress has no no control in the kubernetes core, so you need like a custom controller for it. So there are.

A

In.

B

The country repository as there exist a few controllers so just to name one nginx and, for example, you can use the GCE forwarding rules for my demo. I'm gonna use nginx, so the whole cluster, the demo class, runs in AWS and I'm just breaking on layer 4. That means so. The EO B's handle only TCP and nginx handles the encryption and everything beyond that. On top of that, so I've prepared a little architecture overview with the resources involved.

B

So I have like the ingress resource of my hello world application, which references, a TLS secret and the actual service that should be seen publicly and quite similarly, I have my cube layer. Application. There's should be only one pod running and it contains the service to be accessible and, at some point, an ingress rule.

B

The ingress rule is managed by cube layer itself, and we will see it right now, so I am I'm just showing one flow so soon as kublai guy runs, it's gonna watch changes an ingress object and yet just to get the host names that should be available via TLS, so as soon as it recognizes the need for. For a new certificate, so it checks if the referenced secret exists or if it's expired or not, containing all the domain names.

B

So if that happens so that a new request is needed, it's gonna start with setting up the challenge endpoints. So there's like a sub path where you do the validation over and you have to set the ingress rule for that and yeah.

B

The next thing is kublai: go checks if there's already at this private user key existing if it's existing it's an stored in a secret resource and yeah, if not, it's gonna be created on the fly and stored in a secret resource for the next yeah next certificate, then we're gonna connect via API to let's encrypt and request the certificates with the domain names that are needed.

B

The next thing is we, let's encrypt calls our public endpoint and tries to find out if we are eligible for this certificate and if so, we get back the signed certificate cube.

A

Leggo.

B

Finally, stores the certificate in the secret resource- that is, reference, Perea, ingress, object and that's the end of the story. So now I'm gonna, move to the demo. So just give me a moment and.

A

You have a cname Beckett.

B

Looking for the window to share so.

B

Hopefully, everyone can see the T MUX now.

B

Okay, so here we see the state of the current cluster I'm running so I'm, having like the nginx ingress, running I'm having my hello world, echo, server, application running and some default back and to answer but 404 for everything that is not mapped to anything.

B

We see I'm, just an engineer secret, nothing else and we see no ingress objects and services for the pots we've created so now, I'm gonna start and create a conflict map for kublai, go the service to make it available publicly and a deployment just to deploy one part, so that works pretty well. If you look at the status yeah, we see the container is running. Now we have the new service as well, so we can continue with the ingress object for our echo server.

B

So just first I'm gonna use this demo URL and then I'm gonna. Add your cname Sarah. So right now, if I'm calling the domain name, it should return a 404 yeah. Thus, and now I'm gonna create the the ingress rule and then we should see the output from the echo server. So that's an ingress rule without TLS enabled I'm gonna run an apply now, so we have the ingress here and we should be able, with a curl, to get now to a non 404 output.

B

Something no it's there. So here is the echo output from the from back-row service, and now the interesting thing happens. So I'm gonna reconfiguring the the ingress object with this annotation. That just means kublai girl. Look at this ingress resource and yeah enable for the demo hostname the TLS and specify a secret name so I'm doing now to apply again that the changed object, and now we can see two creates a separate ingress object that contains the as well down path where the challenge happens.

B

From let's encrypt we can see here now, Kublai go account, object, be created, so that's the broad key, and so hopefully, if everything runs well.

B

That's not a Kublai, the log output we gonna get the certificate breakfast through. We are let's encrypt so right now the the Kublai go demon does sort of a soft check if it can reach itself, so that had happened before so like with this testing reach ability of the end point and as soon as the reach ability worked, it actually requested it from from let's encrypt and that's the end, it's shown the private keys and look at it, and now the object should be there.

B

So we see the TLS sir secret as well, so it's 23 seconds old, that's containing our private key and certificate, and now I should be able to curl it over HTTPS, which is working. So we have now the encryption there and, for example, if I want to look at the certificate, I can see it.

B

It is valid for the next 90 days and it's valid for this to my name and so now, I'm gonna, add.

B

Saris to mine so like Lego.

B

Chat.

A

Sarah, that is.

B

Okay, so I'm not pointing any kind of application behind it, so it doesn't really matter I'm just now applying the ingress object which should trigger the adding of the the other challenge. End point and if I look at the crew blogger output, it's now actually already recognized and try to find or try to get the self-check running. So it's still getting a 404. That just means nginx hasn't reconfigured. Yes, and it's like yeah. Now it's opening, so the check worked. We got the validation through the certificate this year.

B

Now it's usually taking a couple of seconds for Ingenix to reload the certificate, so we can give it a try to just look at a certificate- that's not there yet, but it should have many now there is it Kublai Gordo, Sarathy asus is now relegated and hopefully, if I'm gonna show it chromed and it should show the green sign.

B

And there it is after our certificate there and yeah. So the demo works pretty happy yeah. So I think if we don't have too much time left yeah. So if there are any questions, I'm gonna add my contact details and the github repo, which contains this kind of examples, I've run and okay thanks.

A

Christian, that's great fun and I was really excited to see. Let's encrypt and let's encrypt working with engine X that all came out late last year,.

B

Yes, I was pretty happy yeah. It worked pretty soon with my first kind of implementation for my private cluster and yeah. Now I did a bit. It's.

A

Very exciting and if you said, you'll put your contact info in the repo which we link off to from the show notes. That's a terrible thing to say our meeting notes awesome.

A

Well, thank you and I'm sure people reach out if they've got questions so I'm gonna hop on to the next item, because we are running just a little bit behind and I know that David is trying to catch a plane. So David are on Chika's for you to talk a little bit about the grand plan about planning, 1.4, hey.

C

Everyone can you hear me: okay, we.

A

Can.

C

Okay, so sorry the plane is boarding. So you're gonna hear some boarding messages in the background, but this shouldn't take too terrible.

C

So one thing that we've had a lot of requests for is a more general and community driven planning process, particularly when it comes to some of the larger features that are going to appear in future versions of kubernetes.

C

We a few weeks ago circulated a proposal to everyone and what I'm going to take on the responsibility is helping to close the proposal. I'm not doing that right now. What I am doing is just letting you know what the process is going to look like for placing that down. So with that.

A

Proposal we feature the future repo proposal. Are you talking about a different way, correct.

C

The future Reid proposal it was sent up to Pilates day.

A

Of every.

C

Week, so the plan is right. Now what we'd like to do is get nominees. You can nominate yourself, I'll, be sending out requests to Cooper that he's dead for people to nominate themselves to be part of a community p.m. group which will help to close this process down once we identify those people and all agree that the flow is what we agree to, we will agree.

C

We will basically go forward with that flow as a proposal and that flow might look like you have to submit a proposal to the feature repo that needs to be voted on their needs to be you know, testing or or issues associated with that, so on and so forth. I won't detail all that there there's a quite.

C

So, second to that is once we identify what that proposal is, they will have a set of steps that come out of it and basically identify all those individual steps that ultimately will result in us having a process for locking down on features.

C

I will share with you after this call and in the notes and then again on email, both the feature proposal and the feature repo, but I would like to say by the end of next week. That's next Friday to identify everyone who would like to be part of the community p.m. brick, it's not to say we're, locking it down. People can nominate themselves at any time, but that said by that point, if you haven't nominated yourself, you know joined our list and voted on the proposal.

C

You lose your chance on this first go-round, so I just want to make it clear to everyone that this is going on and see. If anyone has issues, objections and.

A

We'll bring this up also on next week's call, and it sounds like David you're, also sending email about this right. Yes,.

C

I promise to say once a day, reminding everyone to nominate themselves and join the feature repo as you watch it or so on cool. Ok, any questions comments, nominations, thoughts, yes, nominations. If you'd like to join up, send over a note, you name it: okay, I'm, waiting.

A

To board have a great trip, David, alright, so next up on today's agenda, this may be one of the shorter meetings we have next up on today's agenda is the 1.3 update, I believe that I saw TJ on here moments ago? Yes,.

D

I'm around here, fantastic.

A

Hello TJ.

D

Sorry before you move on, I was just looking through the kubernetes dev group at least, and there's nothing there, so not that I can find, if least based on that description. So the.

A

Kubernetes dev group, nothing based on which description on the conversation.

D

On what David was just saying, right.

A

He is going to send an email about it. Okay,.

D

He hasn't yet okay, he.

A

Has not yet, but he is referencing the feature, repo discussion that we had a few weeks ago from Erik Paris's recommendation that we separate all out feature issues future definitions instead of workflow within that out in its own repo, so that we can have more broad access and Ackles given so that people can say triage things, update issues more accurately label them that kind of stuff. So it's an extension of that. Okay.

D

Can you just post a link to that I'm searching partner and I can't actually find it sure.

A

I will find that and I will post it into the chat. Thank.

D

You.

A

Okay, so are we good to go on with TJ, then.

D

Sure so, release 1.3 update so quick check in on the four sort of key blocking features we called out. So the first is clock cross cluster service, Federation, otherwise known as uber Nettie's are part of uber Nettie's there's one remaining PR. It is about AWS integration, it has LG TM and it's just going to the process of getting tests working in merged and then a few ete tests need to be added, but that is finally an it's sort of last throes.

D

So second features stateful application, support, otherwise known as pet set. That is finished. All code is in as an alpha feature, scalability towards 2,000 nodes to serve the third high-level feature, and that work is, is all done and scaling towards 2,000 and testing is ongoing. And, lastly, the 44th feature is the distributed test. Dashboard and actually Eric theta from Google sent out an email to communities Deb earlier today. That's now live at test, kate's io and it is very cool.

D

If is a visual indication of all the tests that are run inside Google and whether or not they passed or failed, so you can sort of see visually how things are looking across all the different test, Suites and across time, as well as it supports uploading test results from third parties to be displayed in the same dashboard. So we have some I believe it's adhere and rocket. Nettie's already have tests being run outside Google and the results are being uploaded and displayed alongside it.

D

So that is the latest good news and that's how that one is done so that was sort of a pass over the the key features for one three, or at least the headliner ones in terms of timeline. That's the next thing to talk about before you go on question yeah, then, can you point to a single, cohesive description for what the pet set feature is, so this came up last week as well and yes, we will obviously a documentation that will be written over the next couple weeks before we launch. Is that sufficient?

D

Are you looking to look at something like right now, I'm wondering how I'm wondering how you could be saying that it's done if there's no actual description of what it is anywhere so there's a PR it XD, you've read: I, have read: 260 260, okay and I.

C

Think.

D

That is not sufficient. Okay, you cannot actually quite discern for a meeting 260. What what done would be? Okay, in that case I. Don't personally know if we have that doc in one place, I can go, who try to dig in some men along though okay I mean I I, think I'm just making sure that it isn't hiding somewhere that people can't find as opposed to not existing, and it sounds like it's not existing. So writing in grant just said in that there isn't a doc yet hey.

D

It sounds like that's the answer, whether or not that's ideal.

D

I'm, just not I, guess I, so something is done. It's not clear what done is and I'm just wondering how we know that the features that is complete if there isn't a single, cohesive description of what the feature set is but I'll I don't want to belabor this too much but I think for it to be done. We have to figure out whether what done is you know no I mean it's. It's a fair point for sure.

A

Brian is also reminding us that this is the alpha version of it, so it's not feature complete and it is the first underpinnings of. But yes, your point is well-taken that there needs to be a PR D. There needs to be documentation. That says what we think this, what we think we have accomplished and what we will be accomplishing going forward. Well,.

D

The the fact that it's alpha and as a subset is also not really been clearly communicated anywhere.

A

Almost every new feature goes in as alpha and the first time it appears.

D

Nevertheless, okay.

A

This is part of why we are we pulling together this whole product team and plan, and indeed indeed so, on the plus side, we've improved between 1.1 and 1.2 and 1.2 and 1.3, and we're going to keep continuing in that process, and in that vein, so I know Bob. You also volunteered your time and or someone from your team's time to help on that. So thank you. Yep awesome.

A

Were you going on to the next thing.

D

Yes, the next thing is just timeline of what remains for 1.3. We have three weeks and one day until our launch date, which we set for June 24th a while back and things appear to still be on track. We held a pretty hard line on feature complete and that does seem to be paying dividends as we go burned down the rest of the milestone. So the way those three weeks are gonna look is we will branch and release a beta Alfons?

D

Every two weeks will release a beta on June 10th, which is about a week away once that happens, then we once we branch head, will be unsliced, and so anyone will be able to check in feature a larger feature code into 1.4. So basically, head becomes the new 1.4 branch.

D

The launch will then be two weeks from next, so from June, tenth launching to June 24th. Well, we will go out the door we are having I think it's been mentioned in this meeting. The last few weeks, though I haven't been here, we're having these milestones burned down, meetings that anyone is invited to.

D

Let me know if you, if you are particularly interested in them, but it's basically a handful of people getting together three times a week, just a look at what is left in the view 1.3 milestone, and that means literally all the issues and all the PRS that have the V 1.3 milestone tag in them and github, because that is sort of our burn down list.

D

When that hits zero, we feel like we can launch as well as, of course, watching the queue and the test signals and all of those things and and working on Doc's, but but that is sort of the key code work that remains so basically the takeaway is that that is our time line and that, if you have anything that is a critical bug or issue that needs to get fixed for 1.3 make sure you are tagging it or having someone tag it with the V 1.3 milestone, because the queue is now turning away.

D

Any PRS that don't have that milestone.

A

Until the grant- yes.

D

Until the branch in just over a week.

A

Cool Thank You TJ. Does anybody have any questions about the timing and the where we are and or what wants to get added to that burn down list.

A

No or you're on you, okay, cool Thank, You, TJ I had a placeholder in here for sig reports, but I didn't have anybody who jumped up and done and said they wanted to offer a report on a special interest group? Does anybody have any statuses they want to give.

A

We'll do this quietly doesn't sound like it. Okay. Well then, I have one last issue of administrivia, which is I, don't see anyone that I don't recognize on here and for whom this is a much more convenient time. So is there anyone from say China or Japan or Hong Kong, for whom this is a better time today,.

A

I'll take that as a resounding not really fantastic, then I say that we for the time being, don't do. Is your friendly time zone meetings for a while until we get some rezoning cry for them, we've done too, and we've had exactly one person who was who found this a more convenient time.

A

Does that any bit second, video fantastic? Well, then, he longs raising his hands yay waving, okay, fantastic! Then I will say that this was a lovely and important experiment, but that we don't have a lot of people from the time zones where this is a lot more convenient and we will go back to 10:00 a.m. regularly until we hear something. Otherwise does anybody have anything else they want to cover, or do we get a half hour of our life back.

A

If it's depressing you're still on mute.

A

Alright, then have a great week. We will give more updates about the 1.4 planning process next week there will be emails about it, recommending that people nominate themselves each other friends family, all of that and and follow up with topics for next time. All right have a lovely Thursday evening and I will see you all in a week.

A

Thank you all right waving.